Zoom has decided to cease development of new product features so it can focus on fixing various privacy and security issues.

The company has seen a surge in the use of its platform in recent weeks, as self isolation in response to the Covid-19 pandemic ramps up the demand for video software. As its popularity has boomed - both for business and personal use - and the company’s stock price rocketed, underlying vulnerabilities in the platform have become apparent.

“Zoom-bombing,” where intruders have been able to access video meetings that were not password protected, has led to serious privacy concerns, with uninvited attendees harassing online A.A. meetings and church meetings, for example.

The FBI has warned of unauthorised access to virtual classrooms and recommended that users change security settings to protect meetings.

Meanwhile, Elon Musk’s SpaceX aerospace company apparently banned the use of Zoom by its 6,000 employees because of privacy and security worries, according to Reuters. Zoom has also come under fire for a vulnerability that enabled hackers to steal passwords on Windows devices, though that flaw has since been addressed.

Zoom CEO apologises for recent issues

In response to the growing concerns, Zoom CEO Eric Yuan published a blog post detailing the company’s response. He said that over the next 90 days Zoom will direct necessary resources to “better identify, address, and fix issues proactively.

“We are also committed to being transparent throughout this process. We want to do what it takes to maintain your trust,” he said.

Measures include a “freeze” on feature development, with Zoom engineers told to focus on “trust, safety and privacy issues.”

The company also plans to work with “third-party experts” to review security for consumer use of its platform; create a council of CISOs to discuss security best practices; create a transparency report in relation to “requests for data, records, or content;” expand Zoom’s bug bounty program; and conduct white box penetration tests to identify other security issues.

Yuan will also host weekly webinars to provide privacy and security updates.

Zoom needs to prove it's enterprise-ready

Zoom is going “above and beyond” by putting its roadmap on hold to address recent concerns, said Raul Castanon, senior analyst for workforce collaboration at 451 Research / S&P Global Market Intelligence. “This should help restore confidence with enterprise users, assuming the company comes up with a clear list of improvements after the 90-day period.

“Zoom is getting a lot of attention with the pandemic, and the security issues could actually be an opportunity for the company to prove it can address privacy and security for its enterprise customers,” he said.

However, Zoom still has a way to go in terms of ensuring that its platform is ready for enterprise use.

"Yuan contradicts himself with his comment about Zoom being developed for enterprise customers ‘with full IT support’ and not a ‘broader set of users,’” Castanon said.

“It is true that the pandemic is uncovering opportunities for improvement - not just for Zoom, but for most vendors - but the security flaws that have come up show the platform is not quite enterprise-grade. Yuan could have been better off without that remark.”

In another privacy incident, Zoom is being sued in California for sharing user data with Facebook. Zoom said in a March 29 blog post that it “has never sold user data in the past and has no intention of selling users’ data going forward,” and would remove the Facebook SDK (software development kit) from its iOS client, which it said was responsible for collecting device data.

Castanon commended the way Zoom handled privacy issues related to the Facebook SDK.

“Zoom will be okay, but this incident will further damage Facebook’s reputation,” he said. “Mark Zuckerberg should pay close attention to Eric Yuan’s detailed response about how Zoom is addressing security and privacy concerns.”

Related Whitepapers

Copyright 2020 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.